Retailers, hotels, shopping centers, and parking operators are deploying automated license plate reader (“ALPR”) cameras at their properties across the country for security and parking management. The largest ALPR networks capture billions of license plate reads per month. And the data may also be entering the broader adtech ecosystem.

Most operators have no idea they are sitting on potential class action exposure in the billions.

The Dormant Statute

California’s Automated License Plate Reader Privacy Act, Cal. Civ. Code §§ 1798.90.5–.55, was enacted in 2015 and took effect January 1, 2016. It sat largely dormant for a decade. The statute requires any operator or end-user of an ALPR system to implement and publicly post a usage and privacy policy meeting specific statutory requirements. Many companies deploying ALPR cameras have not done this, and the plaintiffs’ bar has taken note.

The remedial scheme practically invites class action litigation. Affected persons are entitled to $2,500 in statutory damages per violation. There is no requirement to show data misuse, breach, or any other concrete harm beyond the violation of the individual’s “right to know.” Plaintiffs may also recover punitive damages, attorneys’ fees, and injunctive relief. In other words, a property with 500,000 annual visitors faces damages in the billions on one year alone.

The Recent Catalyst

In February 2026, a California appellate court turned the statute into a class action weapon. In Bartholomew v. Parking Concepts, Inc., 118 Cal. App. 5th 438 (1st Dist. 2026), the court held that operating ALPR cameras without implementing and publicly posting the required policy is, standing alone, an actionable violation. A footnote also left open the question whether a partially compliant policy could be actionable, expanding the risk beyond entities with no policy at all.

The Wave of New Cases

Since Bartholomew, plaintiffs have filed class actions against virtually every category of commercial ALPR deployer: shopping centers and malls, big-box retailers, grocery stores, hotels, commercial campuses, parking operators, and ALPR vendors themselves. As apparent from internet advertising by plaintiffs’ firms, numerous additional investigations are actively recruiting plaintiffs for new cases. Considering that the California Supreme Court denied review of Bartholomew on May 13, 2026, the trend is unlikely to subside.

This trend is expanding beyond California. Washington enacted its own ALPR law (SB-6002) on March 30, 2026, effective immediately. That law primarily targets government agencies rather than private commercial operators, but it makes a vendor's violation of the statute a per se unfair or deceptive act under Washington's Consumer Protection Act.

What to Do

• Audit ALPR deployment across your properties. Identify the vendor and review contractual terms governing data access, retention, and sharing.

• Post a compliant ALPR usage and privacy policy.

• Audit data-sharing practices. Do not rely on vendor representations alone.

• Review vendor contracts for risk allocation and indemnification. The statute places liability on the operator, not the vendor.

• Monitor multi-state legislative developments.